on predictive routing of security contexts in an all-ip ... · on predictive routing of security...

SECURITY AND COMMUNICATION NETWORKSSecurity Comm. Networks. 2010; 3:4–15Published online 8 September 2009 in Wiley InterScience(www.interscience.wiley.com) DOI: 10.1002/sec.135

On predictive routing of security contexts in anall-IP network‡

Hahnsang Kim∗,† and Kang G. ShinReal-Time Computing Laboratory, Department of Electrical Engineering and Computer Science, The Universityof Michigan, Ann Arbor, MI 48109-2121, U.S.A.

Summary

While mobile nodes (MNs) undergo handovers across inter-wireless access networks, their security contexts mustbe propagated for secure re-establishment of on-going application sessions, such as those in secure mobile internetprotocol (IP), authentication, authorization, and accounting (AAA) services. Routing security contexts via an IPnetwork either on-demand or based on MNs’ mobility prediction, imposes new challenging requirements of securecross-handover services and security context management. In this paper, we present a context router (CXR) thatmanages security contexts in an all-IP network, providing seamless and secure handover services for the mobileusers that carry multimedia-access devices. A CXR is responsible for (1) monitoring of MNs’ cross-handover, (2)analysis of MNs’ movement patterns, and (3) routing of security contexts ahead of MNs’ arrival at relevant accesspoints. The predictive routing reduces the delay in the underlying security association that would otherwise fetch aninvolved security context from a remote server. The predictive routing of security contexts is performed based onstatistical learning of MNs’ movement pattern, gauging (dis)similarities between the patterns obtained via distancemeasurements. The CXR has been evaluated with a prototypical implementation based on an MN mobility modelon a grid. Our evaluation results support the predictive routing mechanism’s improvement in seamless and securecross-handover services by a factor of 2.5. Also, the prediction mechanism is shown to outperform the Kalmanfilter-based method [13] as a Kalman Fiter-based mechanism up to 1.5 and 3.6 times regarding prediction accuracyand computation performance, respectively. Copyright © 2009 John Wiley & Sons, Ltd.

KEY WORDS: secure seamless handovers; selective predictive routing; edit distance; χ2-distance

1. Introduction

Inter-wireless technologies, ranging from IEEE 802networks such as Wi-Fi, WiMax, and personal area net-works, to non-802 networks such as cellular networks,are rapidly converging. This trend has led mobile users

∗Correspondence to: Hahnsang Kim, Department of Electrical Engineering and Computer Science, The University of Michigan,Ann Arbor, MI 48109-2121, U.S.A.

†E-mail: [email protected]‡A subset of this paper was presented at IFIP/IEEE International Symposium on Integrated Network Management 2009 [1].

to carry multimedia-access devices that operate acrossheterogeneous networks, without disrupting on-goingsessions. Meanwhile, the IEEE 802.21 Standard[2] puts into practice the ability of vertical andhorizontal handovers between domains with differentmanagement policies, referred to as cross-handovers.

Copyright © 2009 John Wiley & Sons, Ltd.

SECURITY CONTEXT ROUTER 5

Furthermore, mobile applications impose new chal-lenging requirements of reducing additional delays [3],e.g., fast key establishment between the involved enti-ties for secure network accesses. A ‘security context’that contains such information is essential to the fastand secure re-establishment of the involved securityprotocol flows as mobile nodes (MNs) cross domainboundaries. In particular, an MN’s security context isrouted to a target point of attachment (e.g., an accesspoint (AP)) ahead of its arrival, thereby avoiding thedisruption of on-going sessions. Security contexts ofthis kind vary with the corresponding applications,ultimately requiring an effective, integrated, andscalable way of managing security contexts.

1.1. Related Work

A network-layer-based protocol, called context trans-fer protocol (CXTP) [4], is specified for the purposeof routing (security) contexts. CXTP provides anoption for coping with seamless handovers of MNsthat are equipped with inter-wireless technologies, inconjunction with the IEEE 802.21 Standard. At thesame time, maintaining on-going application sessionswithout disruption requires a ‘map’ via which tomake the corresponding security contexts available toa target AP before the MN’s arrival at that AP. Themap can be represented by a neighbor graph [5] thatexhibits the APs’ logical connectivity, based on MNs’paths. Also, Chou and Shin [6] proposed a packetbuffering-and-forwarding mechanism for smoothhandovers. Additionally, Song et al. [7] presenteda case study that quantifies the possible gains withmobility prediction in a voice over internet protocol(VoIP) application. Similarly, various techniques forthe accurate prediction of the MN’s future locationhave been studied. For instance, user mobility profile[8,9], road topology knowledge [10], and MNs’positioning information [11] have been instrumentalin the mobility prediction for service provisioning andbandwidth reservation in cellular networks. Despitethis extensive research, there is still a gap to fillbetween the prediction and the efficient routing mech-anisms, especially for managing security contextsindependently of inter-wireless access networks toenable seamless secure, handover services.

1.2. Challenges

There are two main challenges in developing an inte-grated framework that enables real-time applications torun without any disruption even when the users undergo

handovers. First, such a framework should be able toroute security contexts to the corresponding ‘receivers’,e.g., routers, ahead of the MN’s arrival, while keepingthe overhead of the routing to a minimum. An effec-tive prediction mechanism can track an MN and thenestimate its future direction. To this end, the correctextraction of features from the MN’s movements is ofutmost importance for prediction. Second, a frameworkshould be easy to deploy. In other words, its deploymentshould not require any new infrastructure. One wayto do so is to build the framework upon the standardtechnologies.

1.3. Contributions

The contributions of this paper are 4-fold as follows:

� We present a comprehensive framework, the contextrouter (CXR) that monitors, detects, and analyzesthe MN’s movement and cross-handover. A CXRconsists of monitoring, analysis, and routing com-ponents. The monitoring component observes anddetects the likelihood of the MN’s cross-handover,and then tracks directional changes in the MN’smovement, yieding the pattern of the associationwith APs. The analysis component gauges the(dis)similarity between an observed pattern anda priori established patterns bound to a distributionof CXR candidates. The analysis ultimately narrowsthe candidates down to a few. The MN’s securitycontext is routed to the selected candidates.

� The abstraction of the MN’s movement at the APlevel provides a tradeoff between the accuracy in pre-diction and tracking and the computation overhead.The CXR logs directional changes in associationwith APs during the MN’s movement, generating atime-history vector of angles (TVAs). The TVA is anabstraction of the MN’s movement pattern where wefocus on the MN’s association with APs rather thanits location.

� An overlay formed by multiple CXRs is independentof the underlying access networks. The overlay grad-ually learns its topology and, hence, facilitates thedeployment of CXRs. The deployment of even onlya few CXRs demonstrates the efficacy of predictiverouting, achieving scalability and manageability.

� The prototype implementation results in the execu-tion of mobility monitoring, analysis, and filtering.We simulate the MN’s movement on a grid, accord-ing to a specified mobility model, and then gauge(dis)similarity of the MNs’ movement patternsagainst a database of movement patterns, using the

Copyright © 2009 John Wiley & Sons, Ltd. Security Comm. Networks. 2010; 3:4–15

DOI: 10.1002/sec

6 H. KIM AND K. G. SHIN

χ2-distance or edit distance [12]. The accuracy of theCXR’s prediction mechanism is evaluated, comparedwith a Kalman filter-based estimation [13].

1.4. Organization

The rest of this paper is organized as follows. Section 2provides the background of a context-transfer protocol,the concept of security contexts and applications usingthem, along with motivations. Section 3 describes amobility model describing the MN’s movement. Sec-tion 4 describes the design of the CXR that consistsof the monitoring of the MNs’ movement patterns andcross-handovers, the analysis of movement patterns,and two routing methods, i.e., predictive and reactiveroutings. Also, implementation issues are discussed.Section 5 evaluates the accuracy of our predictionmechanisms. We conclude the paper in Section 6.

2. Background and Motivation

This section provides an overview of an existingcontext transfer (CT) protocol, and describes securitycontexts, applications thereof, motivation behind thiswork.

2.1. Context Transfer Protocol

CXTP [4] is a protocol in which security contextsare sent and received with the aim of quicklyre-establishing security CT-candidate services, such asthose of authentication, authorization, and accounting(AAA) registration keys for mobile IP [14,15], IPheader compression [16,17], and AAA messageexchange for the IEEE 802.1X [18,19], withoutrequiring an MN to explicitly perform all protocolflows for these services from scratch. CXTP dealswith two distinct scenarios.

In the first scenario, a previous access router (pAR)receives a CT trigger from the MN with the help ofthe IEEE 802.21 Standard that is responsible for han-dover negotiation and layer-2 connectivity, and thenproactively routes a context-transfer data (CTD) mes-sage containing an involved security context to a nextaccess router (nAR), referred to as ‘predictive routing’.However, how to select the target nAR in a predictivemanner is beyond the scope of the specification ofCXTP—filling this gap is part of goals of this work.

In the second scenario, when the predictive routingin the first scenario fails, the nAR receives a CT trig-ger from the MN and then sends a context transfer

request (CT-Req) message to the pAR. In response tothe CT-Req message, the pAR routes a CTD messageto the nAR. The nAR then replies with a CTD-reply(CTDR) message. The second scenario is referred toas ‘on-demand routing’. We will elaborate on thesetwo routing methods when presenting the design ofour framework.

2.2. Security Contexts and Applications

Transfer-candidate services determine types of securitycontexts that they use. Although the concept of securitycontexts is not restricted, for the clarity purposes, twotypes of security contexts are specified in this paper.First, security contexts for mobile IP contain an AAAregistration key required for the secure association [15].When an MN undergoes a handover and attaches itselfto an foreign agent (FA), it requests a registration keyfrom its home AAA server via the FA. Upon receivingthe registration key, the MN verifies a reply messagefrom the FA, creating a security association with the FA[15]. However, the generation of the registration keyrequires message exchanges through the AAA infras-tructure [20] (e.g., a foreign AAA server contacts theMN’s home AAA server), causing a significant delay[17]. Such delays can be reduced greatly by routing asecurity context containing the registration key to theFA from the MN’s home agent (HA) or previous FA.

Like the registration key for mobile IP, security con-texts for the IEEE 802.1X Standard [18] contain theAAA key material. The IEEE 802.1X Standard pro-vides port-based network access control for devicesthat attempt to attach themselves to a LAN port. Theframework positioned behind an AP has three optionsin access control: (1) no authentication in which no fil-ter is applied, (2) wired equivalent privacy (WEP) [21]which was originally designed to prevent wireless com-munication from eavesdropping, but found to have seri-ous security weaknesses, and (3) open authentication—all packets are filtered out except for EAPOL (EAP overLAN) [18]—in which any third-party security mecha-nisms are applied, in conjunction with the IEEE 802.11i[22]. In particular, the 802.11i framework is specifiedjointly with the AAA infrastructure, in which the APserves as an AAA client (or called an authenticator inthe case of the IEEE 802.1X Standard).

Given the MN’s master key shared with its AAAserver, the MN is authenticated via the AAA client(AP) by exchanging messages with the AAA server(e.g., RADIUS [23] or diameter [24]), thereby result-ing in a pairwise master key (PMK) of 256 bits for theAAA server, AAA client, and MN. The PMK is used


DOI: 10.1002/sec


to derive a pairwise temporary key (PTK), with theAAA client and MN communicating with each other.The PTK is a per-AP key that is associated with eachspecific AP, allowing for the protection of the wire-less link between the AP and MN. Thus, the MN’sre-association with another AP requires a new PTK,most likely by interacting with the AAA server. Thisinteraction, however, incurs a significant delay which,in the case of ‘roaming’ or cross-handovers, is propor-tional to the round-trip time between the two involvedAAA servers [25]. Thus, routing a security context con-taining the PMK(s) for authentication should reduce theauthentication latency [26--28].

2.3. Motivation

A legacy scheme that provides secure cross-handoversfor mobile users does not guarantee that the under-lying services remain seamlessly operational, due tothe nature of the Internet via which the involved AAAservers are connected. The delay in communicationsbetween the AAA servers varies with their link qual-ity, and is also proportional to the round-trip timebetween the two servers. Figure 1 illustrates the pro-cedure involved with the secure cross-handover. TheMN’s association with an AP triggers the initiationof an authentication protocol (e.g., diameter or MAP[28]), thereby generating a PTK via the IEEE 802.11iStandard (which corresponds to Step 1). When the MNcrosses a domain boundary and associates with an APin another domain (Step 2), the AAA foreign client(AAAFC) on the AP forwards the AAAF (AAA foreign

Fig. 1. An AAA-based legacy scheme for securing cross-domain handovers: AAAH denotes the MN’s home AAAserver that controls an AAAC (AAA client). Likewise, AAAFdenotes a foreign AAA server that has a security association

and administrative agreement with the AAAH.

server) a roaming security-context request, eventuallyreaching the AAAH (AAA home server) (Steps 3 and4). The AAAH responds with a newly generated PMKto the AAAF (Step 5). As with the PTK generationmechanism, the MN and AP in the other domain pos-sess a PTK to secure their link (Step 6).

For the seamless handover, the overall procedureshould be completed before the link between the AAAhome client (AAAHC) and MN is able to be discon-nected, or the disconnection remains only within anacceptable threshold, e.g., 50 ms for VoIP [29]. The linkbetween the AAAH and AAAF is the most dominat-ing factor in causing the delay that varies with networktraffic. Nevertheless, current systems lack the capabil-ity of ‘pushing’ the security context to the AAAF overan IP-network.

In this paper, we cope with such a pushing mecha-nism by which the security contexts are exchanged ina predictive manner. By doing so, we expect to avoidthe re-establishment of involved security sessions fromscratch while the MN is on the go. On the other hand,the decision to be made on the predictive routing of thesecurity contexts is highly subject to the MN’s mobil-ity pattern. For instance, when most MNs are likely toassociate with a group of specific APs, we may haveonly to route corresponding security contexts to thegroup. The selective, predictive routing of the securitycontexts that we want to offer will achieve secure andseamless cross-handovers.

3. MN’s Mobility

This section presents a simple mobility model for eval-uation purposes, based on which we simulate the MN’smovement on a grid. According to some probabilitydistribution that determines movement patterns, themobility model typically selects two or more elementsincluding speed, distance, angle, destination, or traveltime. Note that the selection of these elements is notsubject to a series of movements (of a single MN). Wethus combine some of these elements and a probabil-ity distribution thereof, resulting in different mobilitymodels [30].

3.1. Mobility Model

Our model selects speed (v) and angle (θt) given time,t. v is a random speed following a Gaussian distribu-tion with a mean µv and variance σv, chosen from[0, 100 mph]. θt is also a random angle following aGaussian distribution with a mean µa and variance σa,


DOI: 10.1002/sec


Fig. 2. Relative anchor-based directional changes.

chosen from [0, π]. In particular, as shown in Figure 2,θt is based on a relative anchor, a base line perpendicu-lar to the previous direction. In this figure, we obtain θi

by calculating θt + θi−1 − π2 . Thus, given a monitoring

interval, �t, an MN’s location is calculated as follows:

(xi+1

yi+1

)=

(xi

yi

)+

(cosθi · v · �t

sinθi · v · �t

)

This way, we mitigate abrupt changes in direction.Clearly, the people’s movement with sharp turns canappear frequently, while such turns rarely do in thevehicles’ movement. Cast studies of this kind are alsofound in References [9,31].

3.2. Assumptions Underlying Our Approach

We tend to track a sequence of the MN’s associationwith APs while the MN undergoes handovers. First,APs assume to be randomly and uniformly distributed,covering the MN’s movement paths. Second, APs’signal strength varies, resulting in the different size oftheir coverage. Under these two assumptions, Figure3(b) shows the MN’s association with APs, zoomingin on a portion of its trace shown in Figure 3(a). Atfirst, the MN keeps associated with apa until reachingposition p1 on the path. At p1 where apb’s signalstrength is greater than apa’s, the MN associatesitself apb. The MN, then, becomes connected toapc at position p2 for the same reason. Just beforereaching position p3, three signals from apc, apd , andape are additionally detected, and since ape’s signalstrength at p3 is greater than that of the others, the MNassociates itself with ape. The cycle of disassociationand association continues based on the signal strength,resulting in a sequence of the MN’s associations: apa,apb, apc, ape, apd , and apf . The sequence is translatedinto a time-varying sequence with the sojourn timespecified at each AP, e.g., (apa, ta).

Fig. 3. An MN’s movement trace and association with APs,with µa, σa, µv, σv each set to π/2, 1, 10 mph, and 1. (a) An

MN’s movement trace; (b) zoomed-in-on circle.

4. The Context Router

The CXR is responsible for monitoring the MNs’movement, detecting the likelihood of their cross-handover, analyzing the MN’s movement patterns,and routing the corresponding security context to theselected CXR(s). This section describes three key com-ponents, i.e., monitoring, analysis, and routing.

4.1. Monitoring

Timely detection of the likelihood of an MN’s cross-handover is of great importance to the predictiverouting of security contexts. For the detection of thecross-handover, the MN issues a trigger message tothe CXR via the IEEE 802.21 Standard. The MN’strigger message, however, does not usually includerouting information on a target CXR, e.g., its iden-tity and IP address. Thus, the target CXR needs toidentify the MN, requiring its security context. When


DOI: 10.1002/sec


the information is not available, all relevant protocolflows are re-established from scratch. Alternatively, thebinding CXR is aware of the cross-handover detectionwhenever the MN associates itself with an AP in theboundary. This can be realized by tracking the MN’smovements.

The CXR tracks the MN’s association with APs viaan AP queue (APQ). The APQ is a list on which theMNs are registered when they are bound to the CXR.The CXR, cxrj needs to verify whether the AP (withwhich the MN is associated) is on a domain boundary.For this, a boundary neighbor register (BNR) on cxrj isdefined as a triple (apj , cxrk, apk), where apj is an APon the cxrj’s boundary, and apk is an AP on the cxrk’sboundary, adjacent to apj . The relationship betweenapj , cxrk, and apk is established and registered with thecxrj’s BNR when the MN undergoes a cross-handoverfrom apj to apk, leading cxrk to add (apk, cxrj , and apj)to its BNR. The relationship, however, does not neces-sarily mean that cxrj and cxrk are physically adjacentto each other; however, they are ‘logical’ neighbors toeach other (i.e., one reaches the other through an n-hoproute).

For the MN’s directional pattern, a time-varyingassociation sequence is represented by a TVA. The TVAis a sequence of changes in direction which are calcu-lated with the associated APs’ location. The TVA iseventually encoded into a sequence of indices. Thesequence of indices represents the MN’s movementpattern that will be used to predict its future cross-handover. The detail of creating the index sequenceis as follows.

First, a time-varying association sequence [(apa, 4),(apb, 5), (apc, 5), (ape, 4), (apd , 6), (apf , 4)], where thesecond elements represent time steps as a sojourn timeat each AP indicated by the first elements, is recorded.In particular, the association sequence can be shrunk byadjusting the time interval at which the association isstamped on the sequence. For instance, when the timeinterval is set to three steps, the sequence appears as[apa, apb, apc, ape, apd , apd , apf ] in the case where eachAP monitors, or [apa, apb, apb, apc, ape, ape, apd , apd ,apf ] in the case where the CXR monitors; the formeris more representative for changes in direction than thelatter—a similar approach is also found in Reference[32]. Once the association sequence is provided, theslope from a pair of apa and apb, i.e., θab with theircoordinate is calculated. This way, the MN’s movementis abstracted. Likewise, θbc is calculated with apb’s andapc’s coordinates. This calculation repeats until the lastwith a pair of apd and apf completes. Thus, the TVAhaving [θij , θjk, · · ·, θmn] is generated. Next, the TVA

is encoded by quantizing angles:

2π

n(k − 1) ≤ θ <

2π

nk, k ≤ n ∈ Z (1)

where n is the total number of quantized angles. Whenn = 8, they lead in eight directions, which we will keepin the remainder of this paper. Note, however, that thismodel can be generalized with the number of directionsadjusted. As a result from the encoding, each directionis labeled with an index of the quantized angle, k, andthen the corresponding TVA is eventually transformedinto an index sequence [i, j, · · · , m], where i, j, andm ≤ 8.

4.2. Analysis

An index sequence as a new pattern is added to a patterndata register (PDR). The PDR is a set of entities, eachof which consists of a unique pattern that is representedby an index sequence and distribution. The distribution,pd, is created with pairs of a neighbor CXR and degreeto which the index sequence is statistically bound toeach neighbor CXR. That is, as the MN having a spe-cific pattern is tightly bound to a specific CXR, thedegree to the CXR is increased. pd is denoted by

pd = {(cxr1, dg1), · · · , (cxrn, dgn)} (2)

Using this distribution, we select neighbor CXRs towhich the MN will be bound with a certain probability.The selection of the CXRs involves two main steps:matching patterns and filtering out the CXRs having alow degree.

4.2.1. Matching Patterns

Matching patterns is to gauge (dis)similarities betweenan observed TVA and each a priori pattern stored in thePDR. We represent the similarity with the distance thatis calculated by editing one pattern to make it the sameas the other (i.e., edit distance [12]), or alternativelyapplying the χ2-distance [12]. The advantage of thetwo methods is to provide a threshold which we adjustfor the degree of the similarity as follows:

f (a, b) < δd (3)

where a and b are pattern sequences, and f is either theediting function, e, or χ2-distance calculating function.The smaller the value of δd , the more fine-grained thematching can be, and the more specific the group in


DOI: 10.1002/sec


which the TVAs are accepted as the same. The num-ber of pattern sequences in the PDR, however, cangrow, likely increasing the computation complexity.To contain the complexity, a multi-class support vectormachines (SVM) technique [33--35] can be applied.In SVM, all pattern sequences are mapped into amulti-dimentional feature space in which the patternsequences are transformed and then used to generatesupport vectors. These support vectors form the (mul-tiple) hyperplane(s) by which all the sequences areclassified. If this is the case, only support vectors arestored and compared with new pattern sequences.

Function e takes two indexed TVAs: a1 · · · an andb1 · · · bn, forming an (n + 1) × (n + 1) matrix. Thematrix is set as follows: e(1, 1) = 0, e(1, b1 · · · bn) =0, and

e(a1 · · · ai, 1) ={

1, i = 1

∞, 1 < i ≤ n

Then, to make a the same as b, we replace or deletea sample in a, or insert the same as a sample in b,repeatedly, until reaching the last sample in a. Functione is given by

e(ai, bj) =

e(ai−1, bj−1) if ai = bj

min

e(ai−1, bj−1) + Cr,

e(ai−1, bj) + Cd,

e(ai, bj−1) + Ci

if ai �= bj

(4)

where Cr, Cd , and Ci are replacement, deletion, andinsertion costs, respectively. They are set to 1 in ourevaluation.

Alternatively, χ2-distance-based techniques arefound in diverse areas such as scene-change detec-tion in image sequences [36,37] and anomaly detection[38]. The calculation of the χ2-distance is given by

χ2(a, b) =n∑

i=1

(ai − bi)2

(ai + bi)(5)

Clearly, χ2 = 0 if and only if all samples in a matchthose in b. The higher the value of χ2, the less likelythe observed TVA fits the expected pattern. The χ2-distance function is computationally less expensivethan the editing function, which will be evaluated indetail in Section 5.

4.2.2. Filtering

When an observed TVA matches a pattern in the PDR,the CXR fetches the corresponding distribution (seeEquation (2)). It then applies either of two filteringmethods to select neighbor CXRs. The first methodis a filter based on Chebyshev inequality [39]. Given anormalized pd with a random variable X with a finitemean µ and finite standard deviation σ, the Cheby-shev inequality provides a relationship between σ and|X − µ| such that

P

(|X − µ| ≥ σ√

δp

)≤ δp (6)

The inequality relationship holds for any dropout rateδp > 0. This relationship-based filter is effective whenpd is a normal distribution [39], reflecting a strong rela-tionship between a given pattern and its associationwith a neighbor CXR.

The second method is a cutoff-based filter usinga threshold, δr, on a scale of 0–1 by which top n%neighbor CXRs from the normalized pd are selected.In particular, when δr = 0, no CXRs are selected,and hence only the on-demand routing, which willbe described shortly, remains effective. When δr = 1,all neighbor CXRs are flooded with security contexts.When 0 < δr < 1, security contexts are routed to theselected neighbor CXRs.

4.3. Routing

After the filtering, (the replicas of) security contexts arerouted to the selected neighbor CXRs either in a pre-dictive manner or on-demand. The security contextsare stored in a context register (CR) on the correspond-ing neighbor CXRs. If the MN is bound to one of theselected neighbor CXRs (nCXR) in which the MN’ssecurity context is immediately available, then, it willnot experience any extra delay in fetching its securitycontext from the previous CXR (pCXR) (i.e., predic-tive routing). By contrast, the MN may be eventuallybound to an unexpected neighbor CXR (uCXR), i.e., asecurity-context miss. When the security-context missoccurs, the CXR to which the MN is currently boundfetches its security context from the pCXR (i.e., on-demand routing). After the security context is routedeither in a predictive manner or on-demand, the asso-ciation between pCXR and uCXR, and between theirAPs are added to, or updated on, both pCXR’s anduCXR’s BNRs. The same holds for the correspondingdistribution (Equation (2)) in their PDR.


DOI: 10.1002/sec


The growth of security context replicas varies,depending on the MNs’ location on the domain bound-ary and their cross-handover patterns. In particular,some MNs are likely to cross the boundary and even-tually stay thereon or cross back while some MNsmay cross the boundary back and forth in a short timeperiod, i.e., a ping-pong effect. This effect causes arapid increase in the number of replicas on the corre-sponding CXRs. For this reason, to limit their excessivegrowth, we apply two rules. The first rule is to fixthe buffer size for replicas. When the buffer is full,the replicas in the buffer are invalidated in the leastrecently used order—the invalidation is less costly thanthe deletion—by simply toggling off the validity bit.This rule is effective against the rapid growth of repli-cas. The second rule is to limit the time in keepingthe replicas in the CR. That is, incoming replicas aretime-stamped with a timer threshold. When the timerexpires, the replicas in the CR are scanned in com-parison with the threshold, timeout, and time-stampedtime, eventually invalidating stale replicas. This rulehas a tradeoff between storage savings and computationperformance.

4.4. Prototypical Design

Figure 4 illustrates the software implementation of theCXR and its interfaces with another CXR via CXTP[4] and with MNs via the IEEE 802.21 Standard.

Fig. 4. The CXR software implementation. An access net-work is formed by APs whose location is represented byan xy-coordinate on a grid. An individual MN moves overthe grid based on its own mobility model with the values of

system parameters changed.

Fig. 5. Pseudo code: decision on the predictive routing.

The APQ on the CXR is a registration list on whichthe MN currently bound to the domain is recorded alongwith its sojourn time and association with APs; usingthis information, the MN’s movement is tracked. Givena time interval, the APQ is scanned to find whether anyMN is associated with APs inside the boundary in ref-erence to the BNR. If this is the case, the detection stateis transitioned to the prediction state. In the predictionstate, the CXR performs the predictive routing of thesecurity context according to the cross-handover prob-ability (e.g., 7 times of success in 10 trials of predictiverouting results in the probability of 0.7). So, if the cross-handover probability is greater than the threshold, theCXR applies the prediction algorithm—its pseudo codeis given in Figure 5, thus routing the security context.The demand state, on the other hand, is initiated by arequest from other CXRs (e.g., by a CT-Req messagein CXTP), ultimately transitioning to the reaction statein which the on-demand routing is performed.

5. Evaluation

Success in the predictive routing of security contextsimplies substantial reduction in handover delays. Suchdelays, in particular, involving message exchanges bythe underlying applications, vary greatly, dependingon the round-trip time between two communicationentities. For instance, in the case where two AAAservers are involved for secure communications, theaverage delay in establishing a security association isproportional to the round-trip time between the twoservers [25]. For this reason, our evaluation focuses onprediction accuracy. At the same time, since many MNscross the domain boundary, computation performancefor the prediction mechanisms is also an importantfactor in the evaluation. Thus, the metrics used to indi-cate prediction and computation performance includeaccuracy and CPU utilization. Accuracy is representedby (TP + TN)/(TP + TN + FP + FN), where TP(true positive)—the number of times the selection


DOI: 10.1002/sec


Fig. 6. Movement path estimation with the Kalman filter.

of a neighbor CXR is correctly estimated; TN (truenegative)—an MN is estimated to stay on its currentCXR; FP (false positive)—an MN is bound to an unpre-dicted CXR; and FN (false negative)—an MN leaves itscurrent CXR although it was predicted to stay thereon.

5.1. Kalman Filter

We evaluate prediction accuracy in comparison withthe Kalman filter [13]. In applying the Kalman filer, astate is specified by the MN’s location (x and y) andspeed (dx/dt, dy/dt), and we set values in process andmeasurement noise covariances, Q and R, to 0.1 and 1,respectively. In addition to these parameters, we set val-ues in transition matrix A and measurement matrix H as

1 0 t 0

0 1 0 t

0 0 1 0

0 0 0 1

and

(1 0 0 0

0 1 0 0

).

Figure 6 shows the efficacy of the Kalman filter;estimation accuracy is determined by two factors: mea-surement and past states. At the time of initialization,however, the past state is unknown, and hence theKalman filter performs in an ad hoc manner. Even witha poor initialization, however, it quickly converges tothe true values.

In the following, we first describe the simulation ofMNs and access networks. Then, after assessing sys-tem parameters defined in our prediction mechanisms,prediction accuracy is evaluated with the local opti-mal values of the obtained system parameters. Finally,we analyze computation performance for the predictionmechanisms.

5.2. Simulation of MNs and Access Networks

APs are assumed to be randomly and uniformlydistributed, forming a virtual access network. We havechosen a grid with a tradeoff between practice and

simplicity. On a grid, each node has eight neighborsexcept for the nodes positioned at the edge of the grid.Its network size is a 20 × 20 grid, which is partitionedinto 25 domains (i.e., CXRs). The grid allows for easeof simulating and tracking the MN traffic.

Each MN moves, according to its own mobilitymodel while being associated with different APs. Ata given time t, the CXR obtains the MN’s location andthen calculates the location of the AP closest to the MNby applying a 2-level hash function such that APs on thegrid are filtered, based on the MN’s x coordinate. Thisresults in an array of APs closest to the x coordinate.The array is again filtered based on the MN’s y coordi-nate, thereby obtaining the location of the AP closestto the MN. This way, the CXR calculates the loca-tion of the MN and corresponding AP. The calculationrecurs at t + �t, where �t is the monitoring interval.�t is given, based on the MN’s maximum speed, Vmax,i.e., �t = d/Vmax, where d is the distance between theMN’s current and previous APs. Obviously, d is smallerthan the distance (D) between the centers of the twoinvolved APs, assuming that the two APs’ coverageareas (circles) overlap to the extent that d = D/2. �t isadjusted to capture a series of the MN’s association withAPs. The smaller the value of �t, the more fine-grainedthe measures, but the higher the overhead thereby.

Figure 7 shows MNs’ movement traces and theirassociation with APs. The smaller the value of �t, themore fine-grained traces we can obtain, in comparisonwith Figure 7(a) and (b). Obviously, the monitoringfrequency governs a tradeoff between the accuracy inprediction and the overhead for the monitoring. Themonitoring frequency is bound to a certain degreeof accuracy due to the inherent uncertainty/noise andabstraction on the traces. For instance, Figure 7(c) and(d) each are the abstracted traces of Figure 7(a) and (b).Figure 7(c) is coarse-grained, compared to Figure 7(d),resulting in low accuracy in prediction. By contrast,when the MNs’ movement pattern is considered adhoc, the coarse-grained abstraction can be sufficientlyeffective.

5.3. Assessment of System Parameters

System parameters considered for the evaluationinclude the TVA length combined with the matchingthreshold δd , cutoff threshold δr, and dropout rate δp.In order to assess these parameters, we create 100 MNsthat move based on their mobility model and observetheir movement patterns; each MN undergoes handover1000 times. First, when the TVA length increases from6 to 15 with δd set so as to let two TVAs match more than


DOI: 10.1002/sec


Fig. 7. MN trace and abstraction. (a) MN traces in �t; (b) MN traces in �t′ = �t/2; (c) AP-association traces of (a); and (d)AP-association traces of (b).

70% of times, the 9- and 13-length TVAs yield locallyhighest prediction accuracy. When δd is set to let 60%of two TVAs match, the 11-length TVA results in thehighest prediction accuracy. Thus, both the TVA lengthand its threshold must be tuned together for the bestresults, based on the edit distance technique applied.We set the TVA length and δd to 9 and 70%, respec-tively, throughout the evaluation. In addition to theseparameters, we set each δr and δp to 5 and 0.5 whichappear almost constant.

For the ping-pong effect, depending on the cross-handover probability, the threshold is adjusted. Whenthe MN is unlikely to cross back immediately, the pre-dictive routing may not be applied just after the MN’scross-handover. For this reason, it is important to findan optimal cross-handover probability threshold that istuned to the MNs’ movement patterns. Figure 8 showsthe relationship between the threshold and false alarmrate including the false negative and false positive rates.To some degree, the lower the threshold, the moreaggressive and frequent the predictive routing. Whenthe threshold decreases below the value of 0.3, the false-alarm rate goes up to 0.44, implying more MNs that

Fig. 8. False alarm versus cross-handover probabilitythreshold.

have crossed the boundary are likely to stay thereonalthough they are predicted to cross back. When thethreshold increases above the value of 0.4, the false-alarm rate also goes up to 0.49, implying that moreMNs are likely to cross back although they are pre-dicted to stay thereon. Accordingly, the cross-handoverprobability threshold ranging from 0.3 to 0.4 is set tocope with the ping-pong effect.

5.4. Evaluation Results

Four prediction mechanisms have been describedin Section 4. The cutoff-based and inequalityrelationship-based mechanisms are combined with theedit-distance and χ2-distance functions. Predictionaccuracy is related to not only the similarity measure-ment techniques, but also the classification of patternsinto groups. Each group is represented by the probabil-ity distribution pd on which the prediction mechanismsdepend. In general, the inequality-based mechanismsare effective for pd that is normally distributed witheven a large variance, while the cutoff-based mech-anisms operate well with various distributions. Asshown in Figure 9, prediction accuracy offered by theinequality-based mechanisms almost equals that by thecutoff-based ones. In which case, selecting a similaritymeasurement technique determines the performance ofprediction accuracy. That is, applying the edit distancetechnique achieves up to 1.4 times higher predictionaccuracy than applying χ2-distance.

Since the Kalman filter yields an estimated futurelocation of the MN, we select the AP closest tothe estimated location and then the neighbor CXRthat controls the AP. Note that the selected AP maynot be on the domain boundary, which is not foundin the BNR. This case requires additional informa-tion on the binding of a neighbor CXR and itsAPs to be available to another CXR. Conversely,our prediction mechanisms capture an AP associationpattern based on the MN’s movements, limiting the


DOI: 10.1002/sec


Fig. 9. Average prediction accuracy comparison of the fourmechanisms with the Kalman filtering (KF): CF and IE standfor cutoff and inequality, and E and X for edit and χ2 dis-

tances, respectively.

number of neighbor CXRs to which to route the cor-responding security context. Thus, for the fairnesspurposes, the cutoff- and inequality-based mecha-nisms select one neighbor CXR. Also, the Kalmanfilter-based estimation is deferred until the BNR ispopulated, and the same holds for our mechanisms.

As shown in Figure 9, all the four predic-tion mechanisms outperform the Kalman filter-basedapproach. Particularly, applying the edit distance tothe inequality- and cutoff-based mechanisms causesthem to outperform the Kalman filter-based approachby 54 and 49%, respectively. Similarly, applying theχ2 distance to those mechanisms achieves up to 15%higher accuracy. Meanwhile, we also measured pre-diction accuracy of the flooding method of routingsecurity contexts to all neighbor CXRs (i.e., δr = 1).The flooding method is only 6% more accurate thanthe inequality-based mechanism with the edit distanceapplied, which underachieves in the sense that theother mechanisms pinpoint a single CXR. Rather, ourmechanisms impose less heavy network traffic thanthe flooding method—the traffic created by the flood-ing method is proportional to the number of neighborCXRs. This advantage grows as the number of MNslikely to undergo a cross-handover increases. Con-sidering that tens of millions MNs move round, thisadvantage must be of great benefit.

Based on the accuracy data shown in Figure 9, wecan project how much benefit we can get via the pre-dictive routing based on the best of the four, i.e., theinequality-based mechanism having the edit distance.Statistically speaking, the predictive routing causes thecross-handover to be on average 2.5 times faster thanthe reactive routing that is required to fetch securitycontexts. This improvement linearly increases as thedelay in fetching grows.

Fig. 10. Average CPU utilization comparison.

When it comes to computation performance, apply-ing the χ2-distance is three times more efficientthan applying the edit-distance, since the edit-distancerequires to perform many comparison operations atthe expense of prediction accuracy, as shown inFigure 10. Similarly, applying the χ2-distance to theinequality-based mechanism is 3.6 times more efficientthan the Kalman filtering. Accordingly, the inequality-based mechanism with the χ2-distance applied is thebest option for computation performance, while apply-ing the edit-distance to either the cutoff- or inequality-based mechanism is the one for prediction accuracy.

6. Conclusion

As MNs undergo cross-handovers, their security con-texts must be effectively and efficiently transferred andmanaged both on-demand and in a predictive manner.This paper presented a CXR, an integrated frameworkfor security-context management in the cross-handover, with the aim of furthering users’ mobility andseamless secure execution of their applications on theirmobile devices. We began by characterizing the MN’smovement patterns and then designed the CXR withthree important steps. We analyzed prediction accu-racy in routing (the replicas of) the security contextsahead of the MN’s arrival. The evaluation result showsthat the predictive routing causes cross-handovers tobe 2.5 times faster than the reactive routing. In sum-mary, we have (1) provided an integrated frameworkin combination of the security context routing methodsand prediction mechanisms with the patterns extractedfrom the association with APs, and (2) achieved the effi-cacy, deployability, and scalability of security contextmanagement. As a consequence, our CXR allows forseamless and secure services with predictive routing ofsecurity contexts enabled.


DOI: 10.1002/sec


References

1. Kim H, Shin KG. Predictive routing of contexts in an overlaynetwork. In IM, IFIP/IEEE, June 2009.

2. Gupta V, Das S, Cypher D. http://www.ieee802.org/21/3. Koodli R, Perkins CE. Fast handovers and context transfers in

mobile networks. SIGCOMM Computer Communication Review2001; 31(5): 37–47.

4. Loughney J, Nakhjiri M, Perkins C, Koodli R. Context transferprotocol. RFC 4067, July 2005.

5. Mishra A, Shin M, Arbaugh W. Context caching using neighborgraphs for fast handoffs in a wireless network. In INFOCOM,Hong Kong, IEEE, March 2004.

6. Chou C-T, Shin KG. Smooth handoff with enhanced packetbuffering-and-forwarding in wireless/mobile networks. WirelessNetworks 2007; 13(3): 285–297.

7. Song L, Deshpande U, Kozat U, Kotz D, Jain R. Predictabilityof wlan mobility and its effects on bandwith provisioning. InINFOCOM, Barcelona, Spain, IEEE, April 2006.

8. Akyildiz I, Wang W. The predictive user mobility profileframework for wireless multimedia networks. Transactions onNetworking 2004; 12(6): 1021–1035.

9. Liu T, Bahl P, Chlamtac I. Mobility modeling, location tracking,and trajectory prediction in wireless atm networks. Journal onSelected Areas in Communications 1998; 16(6): 922–936.

10. Soh W-S, Kim HS. Dynamic bandwidth reservation in cellu-lar networks using road topology based mobility predictions. InINFOCOM, Hong Kong, IEEE, March 2004.

11. Liang B, Haas Z. Predictive distance-based mobility manage-ment for pcs networks. Transactions on Networking 2003; 11(5):718–732.

12. Duda RO, Hart PE, Stork DG. Pattern Classification (2nd edn).Wiley-Interscience: New York, 2001. ISBN 0-471-05669-3

13. Welch G, Bishop G. An introduction to the kalman filter. Tech-nical Report TR 95-041, UNC at Chapel Hill, July 2006.

14. Allard F, Bonnin J-M. An application of the context transferprotocol; ipsec in a ipv6 mobility environment. InternationalJournal of Communication Networks and Distributed Systems2008; 1(1): 110–126.

15. Perkins C, Calhoun P, Burmeister C, Degermark M. AAA regis-tration keys for mobile IP. IETF Draft, work in progress, 2003.

16. Bormann C, et al. Robust header compression (rohc): frame-work and four profiles: RTP, UDP, ESP, and uncompressed.RFC 3095, July 2001.

17. Westphal C, Koodli R. IP header compression: a study of contextestablishment. In WCNC, IEEE, March 2003; 1025–1031.

18. IEEE Computer Society LAN MAN Standards Committee.Technical Report ANSI/IEEE Std 802.1X-2001, IEEE, 2001.

19. Mishra A, Shin M, Arbaugh W. Pro-active key distribution usingneighbor graphs. Wireless Communications Magazine 2004;11(1): 26–36.

20. Authentication authorization and accounting IETF WG.http://www.ietf.org/html.charters/aaa-charter.html

21. WEP algorithm. http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

22. Aboba B, et al. Part 11: wireless LAN medium access control(MAC) and physical layer (PHY) specifications: specificationfor robust security. Technical Report IEEE Std 802.11i/D3.1,IEEE, 2003.

23. Rigney C, Willens S, Rubens AC, Simpson WA. Remote authen-tication dial in user service. RFC 2865, June 2000.

24. Calhoun PR, Loughney J, Guttman E, Zorn G, Arkko J. Diameterbase protocol. RFC 3588, September 2003.

25. Kim H, Afifi H. Improving mobile authentication with new AAAprotocols. In ICC, IEEE, Anchorage, USA, May 2003; 497–501.

26. Georgiades M, Akhtar N, Politis C, Tafazolli R. Enhancingmobility management protocols to minimise aaa impact onhandoff performance. Computer Communications 2007; 30(3):608–618.

27. Shin M, Ma J, Mishra A, Arbaugh WA. Wireless network secu-rity and interworking. In Proceedings of the IEEE 2006; 94(2):455–466.

28. Kim H, Shin KG, Dabbous W. Improving cross-domain authenti-cation over wireless local area networks. In SecureComm, IEEE,Athens, Greece, September 2005; 127–138.

29. Shirdokar R, Kabara J, Krishnamurthy P. A QoS-based indoorwireless data network design for VoIP. In Vehicular TechnologyConference, vol. 4. IEEE, October 2001.

30. Yoon J, Liu M, Noble B. Sound mobility models. In InternationalConference on Mobile Computing and Networking , ACM, SanDiego, California, September 2003; 205–216.

31. Kim M, Kotz D, Kim S. Extracting a mobility model from realuser traces. In INFOCOM, IEEE, Barcelona, April 2006.

32. Choi S, Shin KG. Predictive and adaptive bandwidth reservationfor hand-offs in QoS-sensitive cellular networks. In SIGCOMMComputer Communication Review , ACM, Vancouver, BritishColumbia, September 1998; 155–166.

33. Cristianini N, Shawe-Taylor J. An Introduction to Support VectorMachines and Other Kernel-based learning Methods. Cam-bridge University Press: New York, 2000. ISBN 0-521-78019-5

34. Keerth S, Lin C-J. Asymptotic behaviors of support vectormachines with Gaussian kernel. Neural Computation 2003;15(7): 1667–1689.

35. Chang C, Lin C. Libsvm: a library for support vector machines.http://www.csie.ntu.edu.tw/∼cjlin/libsvm, 2001.

36. Patel NV, Sethi IK. Compressed video processing for cutdetection. Vision, Image and Signal Processing 1996; 143(5):315–323.

37. Ford RM, Robson C, Temple D, Gerlach M. Metrics for scenechange detection in digital video sequences. In IEEE Interna-tional Conference on Multimedia Computing and Systems, IEEE,Los Alamitos, CA, USA, 1997; 610–611.

38. Ye N, Chen Q. An anomaly detection technique based on a chi-square statistic for detecting intrusions into information systems.Quality and Reliability Engineering International 2001; 17(2):105–112.

39. Papoulis A, Pillai SU. Probability, Random Variables andStochastic Processes (4nd edn). McGraw-Hill: New York, 2002.ISBN 0-07-366011-6


DOI: 10.1002/sec

on predictive routing of security contexts in an all-ip ... · on predictive routing of security...

Documents